GDPR

PREAMBLE This charter – “The Charter” has been drawn up with a view to defining the commitments for data protection and specifying the implementation of the General Data Protection Regulation – “GDPR” within the company – the “Company”. The Company attaches particular importance to the protection of the personal data of its employees – the “Employees” –, its customers, its partners, as well as the users of its websites and mobile applications. The Company informs of the processes for collecting personal data, their use as well as the options available to the persons concerned. This Charter may be subject to modification by the Company in the event of regulatory, jurisprudential or technical developments. The Company complies with the French Data Protection Act No. 78-17 of 6 January 1978, as amended, as well as the French Data Protection Act No. 2004-575 of 21 June 2004, as well as the General Data Protection Regulation No. 2016/679 of 27 April 2016. This General Data Protection Regulation No. 2016/679 of 27 April 2016 has become applicable in the European Union since 25 May 2018.

ARTICLE 1 – DEFINITION

The General Data Protection Regulation concerns the processing and circulation of personal data, the information that companies rely on to offer services and products. It establishes rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data. It protects the fundamental rights and freedoms of individuals and in particular their right to the protection of personal data. The main objectives of the GDPR are to increase both the protection of individuals concerned by the processing of their personal data and the accountability of those involved in this processing. The aim is also to harmonize the European legal standard on the protection of personal data, so that there is a single framework applying to all Member States.

ARTICLE 2 – CONCEPT OF PERSONAL DATA

Personal data is information that can identify a natural person, directly or indirectly. It can be a name, a photograph, an IP address, a telephone number, a computer login ID, a postal address, a fingerprint, a voice recording, a social security number, an email address, etc. Some data is sensitive because it concerns information that can give rise to discrimination or prejudice: a political opinion, a religious sensitivity, a union commitment, an ethnicity, a sexual orientation, a medical situation or philosophical ideas are sensitive data. They have a specific framework, which prohibits any prior collection without written, clear and explicit consent, and for specific cases, validated by the National Commission for Information Technology and Civil Liberties – “CNIL” and whose public interest is proven.

ARTICLE 3 – DATA COLLECTED WITHIN THE COMPANY

The collection of personal data is subject to a declaration to the French authority for the protection of personal data, the CNIL. Information may be collected in different ways Consent The Company does not collect any personal data without obtaining express consent and providing prior information concerning in particular the type of data collected, their purposes, the person responsible for their processing, and the various rights that the persons at the origin of the data are able to exercise over them. Visits to the website The Company may also be required to collect information during various exchanges, or from external companies via a dynamic and/or interactive internet or mobile application with Internet users, whether or not they are employees of the Company. Cookies The Company's sites and services may issue cookies. They make it possible to recognize the terminal concerned each time that this terminal accesses digital content containing cookies from the same issuer. They allow the services to operate efficiently and to remember preferences. There is still a possibility of deleting the cookies stored on the connection terminal in order to permanently delete the information they contain.

ARTICLE 4 – THE OBLIGATION OF INFORMATION AND COMPLIANCE WITH CONSENT

The Company guarantees the rights of access, rectification and opposition to their data that already existed before the application of the GDPR. It also guarantees the right to limit processing, the right to be forgotten, the right to data portability or the right to erasure of data. The protection of minors under 16 years of age is also strengthened. The consent of the holder of parental authority must be given. Each time data is collected, the data subject must be informed of the legal basis on which the processing is carried out, of their rights over the processing (limitation, portability and appeal) and of the exact methods of processing their data. This information must be visible and accessible on the website where the data is collected, or where applicable, on the media that allow the collection of data (signed contracts, etc.).

ARTICLE 5 – PURPOSES OF THE DATA COLLECTED

Only data that is necessary and relevant to the purposes pursued are collected, in compliance with the principle of proportionality and in order to improve the quality of the products or services that the Company offers. The Company will only collect data that is adequate, relevant and strictly necessary for the purpose of the processing. The data identified as mandatory are necessary in order to benefit from the corresponding functionalities and more specifically operations on the content offered within the company. This policy concerns the Company and its sites, applications, software and services published by the Company and/or using its interface or functionalities.

ARTICLE 6 – USE OF COLLECTED DATA

The Data collected by the company are processed for the purposes of carrying out operations on the contents of the service. This use is based on one of the legal bases provided for by law, namely: the protection of the legitimate interests of the company, the execution of a contract concluded or a commitment, compliance with a legal or regulatory obligation, the preservation of the public interest, such as the prevention or detection of fraud or financial crime. Under no circumstances will the data be processed in a manner incompatible with these purposes, unless prior consent is obtained.

ARTICLE 7 – DATA SECURITY

The personal data collected by the Company is in no case transferred, rented or exchanged to third parties, with the exception of the Company's partners and subsidiaries, unless this was clearly specified when the data concerned was collected. However, the data may be disclosed in application of a law, a regulation or by virtue of a decision of a competent regulatory or judicial authority or, if necessary, for the purposes of preserving its rights and interests. Furthermore, the Company may, where applicable, transmit information if it acquires another company or is the subject of a buyout, merger, absorption, regrouping or reorganization of any kind whatsoever. Any user opening an account is invited to create a username or pseudonym and a password. This password must remain secret and the user must limit access to their computer or mobile devices and log out at the end of using the services. Since personal data is confidential, the company limits access to it to only those employees of the company or service providers who need it in the context of the execution of the processing. All persons having access to personal data are bound by a duty of confidentiality and are exposed to disciplinary measures and/or other sanctions if they do not respect these obligations.

ARTICLE 8 – DATA RETENTION DURATION

The data is stored and retained for the period necessary to achieve the intended purposes. Personal data will thus be retained for the period during which the Company's Employees use the services supporting said data. The aforementioned data is deleted no later than 5 years from the last contact with the person or Employees at the origin of said data.

ARTICLE 9 – RIGHTS CONCERNED

The Company intends to respect all rights with regard to the processing of Personal Data with respect to Employees: the right to be informed about the use of Personal Data; the right to access personal information collected from the Company's Employees; the right to request the correction of inaccurate, incomplete, ambiguous; outdated Personal Data for the Company's Employees; the possibility of requiring the transferability (right to portability) of data to another service provider/user; the right to define guidelines relating to the fate of Personal Data after death; the right to file, where appropriate, justified and duly motivated complaints with the national authority responsible for the protection of Personal Data.

ARTICLE 10 – SANCTION IN THE EVENT OF NON-COMPLIANCE

In the event of a breach of the obligations imposed by the GDPR, the companies concerned may be fined up to €20 million or 4% of global turnover for the largest entities. The CNIL may issue responses in the event of a violation of the regulations, such as formal notices or warnings.

ARTICLE 11 – EMPLOYEE INFORMATION AND PUBLICITY

This Charter will be publicly displayed as an appendix to the internal regulations and will be communicated individually to each Employee of the Company. It will also be available on the Company's website.

ARTICLE 12 – ENTRY INTO FORCE OF THE CHARTER

This Charter is applicable from the date of its publication.